Guidance

10 Steps: Secure Configuration

Updated 16 January 2015

This guidance was withdrawn on 11 July 2016

This content has been moved to the CESG website: https://www.cesg.gov.uk/10-steps-cyber-security

1. Summary

By putting in place corporate policies and processes to develop secure baseline builds and manage the configuration and the ongoing functionality of all Information and Communications Technologies (ICT), organisations can greatly improve the security of their ICT systems. Good corporate practice is to develop a strategy to remove or disable unnecessary functionality from ICT systems and keep them patched against known vulnerabilities. Failure to do so is likely to result in increased exposure of the business and its ICT to threats and vulnerabilities and therefore increased risk to the confidentiality, integrity and availability of systems and information.

2. What is the risk?

Establishing and then actively maintaining the secure configuration of ICT systems should be seen as a key security control. ICT systems that are not locked down, hardened or patched will be particularly vulnerable to attacks that may be easily prevented.

Organisations that fail to produce and implement corporate security policies that manage the secure configuration and patching of their ICT systems are subject to the following risks:

Unauthorised changes to systems

An attacker could make unauthorised changes to ICT systems or information, compromising confidentiality, availability and integrity

Exploitation of unpatched vulnerabilities

New patches are released almost daily and the timely application of security patches is critical to preserving the confidentiality, integrity and availability of ICT systems. Attackers will attempt to exploit unpatched systems to provide them with unauthorised access to system resources and information. Many successful attacks are enabled by exploiting a vulnerability for which a patch had been issued prior to the attack taking place

Exploitation of insecure system configurations

An attacker could exploit a system that has not been locked down or hardened by:

• Gaining unauthorised access to information assets or importing malware
• Exploiting unnecessary functionality that has not been removed or disabled to conduct attacks and gain unauthorised access to systems, services, resources and information
• Connecting unauthorised equipment to exfiltrate information or introduce malware
• Creating a back door to use in the future for malicious purposes

Increases in the number of security incidents

Without an awareness of vulnerabilities that have been identified and the availability (or not) of patches and fixes, the business will be increasingly disrupted by security incidents

3. How can the risk be managed?

3.1 Develop corporate policies to update and patch systems

Use the latest versions of operating systems, web browsers and applications. Develop and implement corporate policies to ensure that security patches are applied in a timeframe that is commensurate with the organisation’s overall risk management approach. Organisations should use automated patch management and software update tools.

3.2 Create and maintain hardware and software inventories

Create inventories of the authorised hardware and software that constitute ICT systems across the organisation. Ideally, suitably configured automated tools should be used to capture the physical location, the business owner and the purpose of the hardware together with the version and patching status of all software used on the system. The tools should also be used to identify any unauthorised hardware or software, which should be removed.

3.3 Lock down operating systems and software

Consider the balance between system usability and security and then document and implement a secure baseline build for all ICT systems, covering clients, mobile devices, servers, operating systems, applications and network devices such as firewalls and routers. Essentially, any services, functionality or applications that are not required to support the business should be removed or disabled. The secure build profile should be managed by the configuration control and management process and any deviation from the standard build should be documented and formally approved.

3.4 Conduct regular vulnerability scans

Organisations should run automated vulnerability scanning tools against all networked devices regularly and remedy any identified vulnerabilities within an agreed time frame. Organisations should also maintain their situational awareness of the threats and vulnerabilities they face.

3.5 Establish configuration control and management

Produce policies and procedures that define and support the configuration control and change management requirements for all ICT systems, including software.

3.6 Disable unnecessary input/output devices and removable media access

Assess business requirements for user access to input/output devices and removable media (this could include MP3 players and Smart phones). Disable ports and system functionality that is not needed by the business (which may include USB ports, CD/DVD/Card media drives)

3.7 Implement whitelisting and execution control

Create and maintain a whitelist of authorised applications and software that can be executed on ICT systems. In addition, ICT systems need to be capable of preventing the installation and execution of unauthorised software and applications by employing process execution controls, software application arbiters and only accepting code that is signed by trusted suppliers;

3.8 Limit user ability to change configuration

Provide users with the minimum system rights and permissions that they need to fulfil their business role. Users with ‘normal’ privileges should be prevented from installing or disabling any software or services running on the system.